Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia
|
|
- Anthony Neal
- 8 years ago
- Views:
Transcription
1 Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia
2 Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes for unsecure software. OWASP identified the ten most experienced vulnerabilities in web applicaties. This presentation describes these vulnerabilities: Own experiences or publicly known examples. Description of the problem. How to prevent these flaws in J2EE applications? Target audience: J2EE developers and architects.
3 Input Web application To backends Output Platform Application Server OS Network
4 #1: Unvalidated Input - Experience Intented: /ImageServlet?url= But also possible: /ImageServlet?url= /ImageServlet?url=file:///etc/passwd With this simple application port scan were indirectly possible.
5 #1: Unvalidated Input - Description Attacker can tamper with any part of HTTP request url, querystring, headers, cookies, form fields, hidden fields Common input tampering attacks include: forced browsing, command insertion, cross site scripting, buffer overflows, format string attacks, SQL injection, cookie poisoning, hidden field manipulation. Possible causes Input is only validated at the client Filtering without canonicalization Opens the door to other vulnerabilities
6 #1: Unvalidated Input - Description Easier than you might imagine with LiveHTTPHeaders
7 #1: Unvalidated Input - Measures All input should be validated at server with central library: Request parameters, cookies, headers Parameters should be validated against positive specs: Data type (string, integer, real, etc ) Minimum and maximum length Whether null is allowed Whether the parameter is required or not Numeric range Specific patterns (regular expressions) Perform code review Don t misuse hidden fields Store in session or retrieve values with each request
8 #2: Buffer Overflows Hm, this one sounds familiar; not only in web applications. Description More input feeded in application than what fits in its buffer, causing malicious code to be executed. This shouldn t be a problem in Java, should it? Measures OutOfMemoryError Backend systems Native code Avoid using native code
9 Input Web application To backends Output Platform Application Server OS Network
10 #3: Injection Flaws - Experiences LoginModule used following SQL query: "SELECT * FROM users WHERE user = '" + username + "' AND password = '" + hashedpassword + "'" Can easily be cracked by: username: <any existing username>' OR 'a' = 'a password: any password that passes validation rules Results in the following String: SELECT * FROM users WHERE user = 'admin' OR 'a' = 'a' AND password = secret'
11 #3: Injection Flaws - Description Anywhere an interpreter is used: Script languages such as Perl, Python and JavaScript. Shells for executing applications like sendmail (e.g. ; rm -r ). Calls to the operating system via system calls. Database systems: SQL injection (e.g. 1=1). Path traversal (e.g.../../etc/passwd). Typical dangers: Runtime.exec() String concatenated SQL File in- and output streams
12 #3: Injection Flaws - Measures Avoid accessing external interpreters wherever possible, use language specific libraries instead: Avoid Runtime.exec(), send mail via JavaMail API. Encode values before sending to backends: Single quotes in SQL statements. Comma's, parenthesis, etc. in LDAP statements. Even better: always use JDBC PreparedStatements. Run application with limited privileges. All output, return codes and error codes from the call should be checked.
13 Input Web application To backends Output Platform Application Server OS Network
14 #4: Cross Site Scripting (XSS) - Example Website of online bank showed value in request parameter literally in the browser. In a tricked URL a piece of javascript was inserted in the page that showed a fake page: "><script language=javascript src=" /sun/sun.js"> </script>
15 #4: Cross Site Scripting (XSS) - Description Attacker sends malicious code to end-user s browser Output is sent to browser without validation Browser trusts the code. Malicious script can Access any cookies, session tokens, or other sensitive information retained by your browser. Rewrite the content of the HTML page. Two categories Stored, e.g. database, message forum, visitor log. Reflected, e.g. error message, search result via mail. Examples Session hijacking Phishing
16 #4: Cross Site Scripting (XSS) - Measures Input validation Encode all output (HTMLEncode or JSTL c:out): < < > > ( ( ) ) # # & & Truncate input to reasonable length. If your application needs to show HTML that has been entered by a user, you could filter all <SCRIPT> tags, but
17 #5: Improper Error Handling - Example With wrong username, the following message was shown: With a wrong password, the following message was shown:
18 #5: Improper Error Handling - Description Error messages can reveal implementation details that should never be revealed giving a hacker clues on potential flaws. Examples Stack traces, database dumps, error codes. JSP compilation errors containing paths. Inconsistent error messages (e.g. access denied v.s. not found). Errors causing server to crash (denial of service). Incorrectly encoded wrong input can cause XSS attack.
19 #5: Improper Error Handling - Measures Define a clear and consistent error handling mechanism Short meaningful error message to the user (e.g. with error id). Log any information for the system administrator (could refer to error id). No useful information to an attacker (don t show stack trace or exception message. Both visible and hidden!). When error displays wrong input, encode this to prevent XSS attacks. Precompile all JSPs before deployment to production. Modify default error pages (404, 401, etc.). Perform code review.
20 Input Web application To backends Output Platform Application Server OS Network
21 #6: Broken Access Control - Example Website of Christine le Duc didn t have access control on the page for showing an order: a link in a newsarticle on NU.nl lead to an open order. Order id s were easy to guess. Orders could even be updated.
22 #6: Broken Access Control - Description Content or functions are not effectively secured for authorized people only. Examples: Insecure Id s Forced browsing past access control checks Path traversal File permissions Client side caching Possible causes: Authentication is only performed at first screen. Authorization is only done on URL, not on content. Home-grown decentralized authorization schemes.
23 #6: Broken Access Control - Measures Check access at every request, not only when getting the first request. Don t implement your own access control, use J2EE CMS or some other framework like Acegi. Declarative instead of programmatic. Centralized access control. N.B.: J2EE Web security by default allows access to all URL s. Optionally extend with instance-based access control. HTTP headers and meta tags to prevent caching. Use OS security to prevent access to server files.
24 #7: Broken Authentication and Session Management - Experience Application with own login mechanism for the administrative pages. Didn t use a session cookie, but encoded username and password in de URL: 0c6ccf51b817885e&username= ea80882d This URL could easily be captured with a XSS attack.
25 #7: Broken Authentication and Session Management - Description Weak authentication and session management. Examples: Easily guessable usernames and passwords. Flawed credential management functions, such as password change, forgot my password and account update. Shoulder surfing. Hijack an active session, assuming identity of user. HTTP is stateless, so no standard session management: URL rewriting with JSessionID (Session) cookies
26 #7: Broken Authentication and Session Management - Measures Use strong authentication mechanisms: Password policies (strength, use, change control, storage). Secure transport (SSL). Carefully implement forgotten password functionality. Remove default usernames. Problems with session mechanisms: Session cookie must be secure. Session IDs should not be guessable. Don t implement your own mechanism, but use what is provided by your application server.
27 Input Web application To backends Output Platform Application Server OS Network
28 #8: Insecure Storage - Experience Daily backups were stored on a portable harddisk that was safely stored by the administrator at home. The data was not encrypted; after a burglary or loss all data would be on the street.
29 #8: Insecure Storage - Description Sensitive data should be stored in a secure way. Examples: Failure to encrypt critical data Insecure storage of keys, certificates, and passwords Poor sources of randomness Poor choice of algorithm Attempting to invent a new encryption algorithm Failure to include support for encryption key changes and other required maintenance procedures
30 #8: Insecure Storage - Measures Only store information that is absolutely necessary Request users to re-enter each time. Store a hash value instead of encrypted value. Don t allow any direct channels to the backend: No direct access to database or files. Don t store data in files in the document root of your web server. Don t implement your own encryption algorithm, but use JCE (Java Cryptography Extension). Store public and private keys safely in keystores.
31 #9: Insecure Configuration Management - Description Your web application runs in an environment that should be configured securily: Application server and web server. Backend systems, like database-, directory- and mail servers. Operating system and network infrastructure. Most common vulnerabilities: Unpatched versions with known security flaws. Unnecessary default, backup, or sample files Open administrative services. Default accounts with default passwords. Misconfigured SSL certificates Gap between developers and administrators.
32 #9: Insecure Configuration Management - Measures Create hardening guideline for each server configuration Configuring all security mechanisms Turning off all unused services Setting up roles, permissions, and accounts, including disabling all default accounts or changing their passwords Logging and alerts (Semi) automatic configuration process. Using tools like Ant and Ghost. Stay up to date: Monitor and apply latest security vulnerabilities published Update security configuration guideline Regular vulnerability scanning from both internal and external perspectives
33 #10: Denial of Service - Experience Application retrieved a lot of information from backend content management systems. One request on the front-end resulted in three requests at the same back-end.
34 #10: Denial of Service - Description Web applications are susceptible to a denial of service, because it is hard to detect the difference between ordinary traffic and an attack. Easy to generate a lot of load. Examples: Limited resources can easily be the target: bandwidth, database connections, disk storage, CPU, Memory, Threads. Also limited to a particular user, e.g. user lockout or change password. Unhandled exceptions.
35 #10: Denial of Service - Measures Avoid requests that result on heavy system load: CPU: heavy queries, JDBC connections. Memory disk space: large POST or HttpSession data. Definitely for anonymous users. Test your application under heavy load. Make use of caching to restrict database access. Think carefully about lockout or password change mechanisms.
36 Bonus Input Web application To backends Output Platform Application Server OS Network
37 #11: Cross-site Request Forgery - Example Orkut is a website for managing networks of friends and colleagues, like LinkedIn. A lot of actions in Orkut take place by clicking on icons with URLs like: addfriend.do?friend=attacker@hotmail.com Opening this URL by an authenticated person is possible through a XSS attack, but also with hidden IFRAME, etc. Result: a lot of friends in a short time.
38 #11: Cross-site Request Forgery - Description Name looks like Cross-Site Scripting, but totally different: XSS misuses the trust of the user in a web application. CSRF misuses the trust of the web application in the user. Forging the enactor and making a request appear to come from a trusted site user Sometimes called session riding. Examples Trick a user into making a request by placing a link in an image tag. Accept user input from trusted and authenticated users yet do not verify the location from which the data is coming.
39 #11: Cross-site Request Forgery - Measures Use GET for queries: Easy to bookmark for later. Can be sent via to a colleague or friend. Use POST for updates: Can t be bookmarked or sent be . Can t be reloaded accidentally. More difficult with XSS attack. Some frameworks support this difference: Struts not by default. Spring Web MVC supports it: SimpleFormController, WebContentInterceptor. Use a timestamp and encryption in own links.
40 Conclusion An overview of the most common vulnerabilities, but only the minimum. Look further than the symptoms. Security should be an integral part of your development: Requirements Design Code Test Most important secure coding principles: Never trust input from the user. Never present more information than necessary. Test how your application performs under heavy load.
41 More information OWASP top ten: Cross-site Request Forgery: W3C advisory about GET vs. POST: George Guninski: Xebia:
What is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationSimon Fraser University. Web Security. Dr. Abhijit Sen CMPT 470
Web Security Dr. Abhijit Sen 95% of web apps have Vulnerabilities Cross-site scripting (80 per cent) SQL injection (62 per cent) Parameter tampering (60 per cent) http://www.vnunet.com/vnunet/news/2124247/web-applicationswide-open-hackers
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationTop 10 Web Application Security Vulnerabilities - with focus on PHP
Top 10 Web Application Security Vulnerabilities - with focus on PHP Louise Berthilson Alberto Escudero Pascual 1 Resources The Top 10 Project by OWASP www.owasp.org/index.php/owasp_top_ten_project
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationCSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities
CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus
ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationWeb Application Security
Web Application Security Prof. Sukumar Nandi Indian Institute of Technology Guwahati Agenda Web Application basics Web Network Security Web Host Security Web Application Security Best Practices Questions?
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationWeb Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationSichere Software- Entwicklung für Java Entwickler
Sichere Software- Entwicklung für Java Entwickler Dominik Schadow Senior Consultant Trivadis GmbH 05/09/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART
More informationIntroduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3
Table of Contents Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3 Information Gathering... 3 Vulnerability Testing... 7 OWASP TOP 10 Vulnerabilities:... 8 Injection
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationApplication Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il
Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems
More informationSecurity in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References
ITIS 4166/5166 Network Based Application Development Security in Network-Based Applications Anita Raja Spring 2006 Agenda Network Security. Application Security. Web Services Security. References Open
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationApplication Security Vulnerabilities, Mitigation, and Consequences
Application Security Vulnerabilities, Mitigation, and Consequences Sean Malone, CISSP, CCNA, CEH, CHFI sean.malone@coalfiresystems.com Institute of Internal Auditors April 10, 2012 Overview Getting Technical
More informationNuclear Regulatory Commission Computer Security Office Computer Security Standard
Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationWeb Application Guidelines
Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security
More informationOWASP Web Application Penetration Checklist. Version 1.1
Version 1.1 July 14, 2004 This document is released under the GNU documentation license and is Copyrighted to the OWASP Foundation. You should read and understand that license and copyright conditions.
More informationEnterprise Application Security Workshop Series
Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants
More informationWeb Application Security
E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationSecure Web Application Coding Team February 23, 2006 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team February 23, 2006 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. John Ockerbloom to run meeting thank you! 2. Susan Kennedy to take minutes 3. Team Website
More informationApplication Security Testing
Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the
More informationOWASP AND APPLICATION SECURITY
SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More informationUsing Foundstone CookieDigger to Analyze Web Session Management
Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.
More informationData Breaches and Web Servers: The Giant Sucking Sound
Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant
More informationImplementation of Web Application Firewall
Implementation of Web Application Firewall OuTian 1 Introduction Abstract Web 層 應 用 程 式 之 攻 擊 日 趨 嚴 重, 而 國 內 多 數 企 業 仍 不 知 該 如 何 以 資 安 設 備 阻 擋, 仍 在 採 購 傳 統 的 Firewall/IPS,
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationWeb Application Vulnerability Testing with Nessus
The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information
More informationOWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741
OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN
More informationMembers of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems
Soteria Health Check A Cyber Security Health Check for SAP systems Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security
More informationAttack Vector Detail Report Atlassian
Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection 2
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationExternal Network & Web Application Assessment. For The XXX Group LLC October 2012
External Network & Web Application Assessment For The XXX Group LLC October 2012 This report is solely for the use of client personal. No part of it may be circulated, quoted, or reproduced for distribution
More informationStill Aren't Doing. Frank Kim
Ten Things Web Developers Still Aren't Doing Frank Kim Think Security Consulting Background Frank Kim Consultant, Think Security Consulting Security in the SDLC SANS Author & Instructor DEV541 Secure Coding
More informationWeb Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
More informationWeb Application Security
Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching
More informationCracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference
Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance
More informationSecure development and the SDLC. Presented By Jerry Hoff @jerryhoff
Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non
More informationColumbia University Web Application Security Standards and Practices. Objective and Scope
Columbia University Web Application Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Application Security Standards and Practices document establishes a baseline
More informationWeb Application Firewall on SonicWALL SSL VPN
Web Application Firewall on SonicWALL SSL VPN Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SSL VPN 5.0. This document contains the following
More informationDon t Get Burned! Are you Leaving your Critical Applications Defenseless?
Don t Get Burned! Are you Leaving your Critical Applications Defenseless? Ed Bassett Carolyn Ryll, CISSP Enspherics Division of CIBER Presentation Overview Applications Exposed The evolving application
More informationAnnex B - Content Management System (CMS) Qualifying Procedure
Page 1 DEPARTMENT OF Version: 1.5 Effective: December 18, 2014 Annex B - Content Management System (CMS) Qualifying Procedure This document is an annex to the Government Web Hosting Service (GWHS) Memorandum
More informationThreat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda
Threat Modeling/ Security Testing Presented by: Tarun Banga Sr. Manager Quality Engineering, Adobe Quality Leader (India) Adobe Systems India Pvt. Ltd. Agenda Security Principles Why Security Testing Security
More informationLecture 11 Web Application Security (part 1)
Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)
More informationSecurity Code Review- Identifying Web Vulnerabilities
Security Code Review- Identifying Web Vulnerabilities Kiran Maraju, CISSP, CEH, ITIL, SCJP Email: Kiran_maraju@yahoo.com 1 1.1.1 Abstract Security Code Review- Identifying Web Vulnerabilities This paper
More informationØredev 2006. Web application testing using a proxy. Lucas Nelson, Symantec Inc.
Øredev 2006 Web application testing using a proxy Lucas Nelson, Symantec Inc. Agenda What is a proxy? Setting up your environment Pre-login tests Post-login tests Conclusion A man in the middle proxy The
More informationApplication Security Policy
Purpose This document establishes the corporate policy and standards for ensuring that applications developed or purchased at LandStar Title Agency, Inc meet a minimum acceptable level of security. Policy
More informationWeb Security Testing Cookbook*
Web Security Testing Cookbook* Systematic Techniques to Find Problems Fast Paco Hope and Ben Walther O'REILLY' Beijing Cambridge Farnham Koln Sebastopol Tokyo Table of Contents Foreword Preface xiii xv
More informationSoftware Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0
Special Publication 500-269 Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 Paul E. Black Elizabeth Fong Vadim Okun Romain Gaucher Software Diagnostics and
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4
More informationAn Introduction to Application Security in J2EE Environments
An Introduction to Application Security in J2EE Environments Dan Cornell Denim Group, Ltd. www.denimgroup.com Overview Background What is Application Security and Why is It Important? Specific Reference
More informationBug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)
Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.
More informationWeb Vulnerability Detection and Security Mechanism
Web Vulnerability Detection and Security Mechanism Katkar Anjali S., Kulkarni Raj B. ABSTRACT Web applications consist of several different and interacting technologies. These interactions between different
More informationCloud Security Framework (CSF): Gap Analysis & Roadmap
Cloud Security Framework (CSF): Gap Analysis & Roadmap Contributors: Suren Karavettil, Bhumip Khasnabish Ning So, Gene Golovinsky, Meng Yu & Wei Yinxing Please send comments & suggestions to Suren Karavettil
More informationAnnual Web Application Security Report 2011
Annual Web Application Security Report 2011 An analysis of vulnerabilities found in external Web Application Security tests conducted by NTA Monitor during 2010 Contents 1.0 Introduction... 3 2.0 Summary...
More informationNational Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research
National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?
More informationWeb Application Security. Srikumar Venugopal S2, Week 8, 2013
Web Application Security Srikumar Venugopal S2, Week 8, 2013 Before we start Acknowledgements This presentation contains material prepared by Halvard Skogsrud, Senior Software Engineer, Thoughtworks, Inc.
More informationWHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them
More informationWeb Application Security
Web Application Security Security Mitigations Halito 26 juni 2014 Content Content... 2 Scope of this document... 3 OWASP Top 10... 4 A1 - Injection... 4... 4... 4 A2 - Broken Authentication and Session
More informationQuality Assurance version 1
Quality Assurance version 1 Introduction Quality assurance (QA) is a standardised method that ensures that everything works as it was intended to work and looks as it was intended to look. It should force
More informationRuby on Rails Secure Coding Recommendations
Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional
More informationGateway Apps - Security Summary SECURITY SUMMARY
Gateway Apps - Security Summary SECURITY SUMMARY 27/02/2015 Document Status Title Harmony Security summary Author(s) Yabing Li Version V1.0 Status draft Change Record Date Author Version Change reference
More information